In today’s short post, which is part 1 of our posts on How to Perform Simple Active Directory Audits, we’ll take a quick look at how IT administrators, IT managers, IT consultants as well as IT and Cyber Security auditors worldwide can easily perform a basic Active Directory Audit using the free version of our unique, trustworthy, professional-grade free Active Directory Audit Tool.

Basic Active Directory Audit vs Advanced Active Directory Audit

A Basic Active Directory Audit is one that includes an audit of all basic aspects of Active Directory security, such as obtaining an overview and details of Active Directory content, including basic details about Active Directory domain user accounts (e.g. how many in total, as well as their state e.g. active accounts, inactive accounts, stale accounts, expired accounts, etc.), domain computer accounts (e.g. how many in total, security settings, operating system/role e.g. domain controllers, workstations, servers, trusted for unconstrained delegation etc.), domain security groups (type, empty etc.), Organizational Units (OUs), GPOs, service connection points etc.

In contrast, an Advanced Active Directory Audit, a topic that we will cover in days to come, covers advanced Active Directory Security topics, such as accurately identifying all privileged users in Active Directory, correctly identifying who can run Mimikatz DCSync against an Active Directory domain, accurately identifying who has what administrative access (both delegated and unrestricted) domain-wide in Active Directory, correctly auditing all administrative delegations in Active Directory, accurately identifying effective permissions/access on all sensitive Active Directory objects etc.

For example, a basic Active Directory audit may include a list of all domain user accounts as well as their account states, whereas an advanced Active Directory audit would additionally accurately identify exactly who can manage these domain user accounts (e.g. who can reset their passwords, delete them, change access control on them, etc.) Similarly, while a basic Active Directory audit may involve identifying privileged users in Active Directory based on the value of the admincount attribute on domain user accounts (which is not the right way to do so), an advanced Active Directory audit would involve identifying privileged users in Active Directory based on an accurate domain-wide determination of who can actually enact what privileged tasks in Active Directory (which is the right way to do so.)

A custom list based on specific parameters that can be customized using custom LDAP filter of your choice

Each one of these reports can be instantly generated using our free tool. Our free basic Active Directory Audit Tool includes 100 built-in, fully customizable (via LDAP filters) Active Directory audit reports. It does not require any administrative access or any knowledge of Active Directory to use. It can be download and installed on any domain-joined machine in under 2 minutes.

Tool Download Point + Additional Info

You can download our free Active Directory audit tool from here. For more info on advanced Active Directory audits, you can download our 100+ slide-deck on Active Directory Security.

In days to come, we will all cover how to perform specific basic as well as advanced Active Directory audits.